Browser history for Firefox 3 can be gathered by connecting to the Sqlite database and performing simple queries. For example, the URLs visited and the date and time of the visit can be gathered with this query:<pre>SELECT datetime(moz_historyvisits.visit_date/1000000,'unixepoch'), moz_places.url

+

Live browser history for Firefox 3 can be gathered by connecting to the Sqlite database and performing simple queries. For example, the URLs visited and the date and time of the visit can be gathered with this query:<pre>SELECT datetime(moz_historyvisits.visit_date/1000000,'unixepoch'), moz_places.url

FROM moz_places, moz_historyvisits

FROM moz_places, moz_historyvisits

WHERE moz_places.id = moz_historyvisits.place_id</pre>

WHERE moz_places.id = moz_historyvisits.place_id</pre>

Latest revision as of 10:38, 13 September 2011

Starting in Firefox 3, a new file format is used to record browser history information. Rather than storing this information in a flat file using the mork file format, the information is kept in a SQLite database.

File Header

Firefox 3 history files start with

53 51 4C 69 74 65 20 66 6F 72 6D 61 74 20 33

which represents the ascii string SQLite format 3. This is normal for any Sqlite database file, so it may be more appropriate to verify that the file is a Firefox 3 history file by looking for the database tables within the file. For example, at offset 120701 (0x1D77D) the hex value

moz_places

The moz_places table holds some of the information necessary to reconstruct the browser history.

id INTEGER PRIMARY KEY
url LONGVARCHAR (The whole URL string)
title LONGVARCHAR (The title presented from the TITLE tags on the page)
rev_host LONGVARCHAR (this is the host name from the URL in reverse)
visit_count INTEGER
hidden INTEGER
typed INTEGER
favicon_id INTEGER
frecency INTEGER

moz_historyvisits

The moz_historyvisits table holds the other information that you need to link up with moz_places to reconstruct the browser history.

The place_id column of the moz_historyvisits table corresponds to the id column of the moz_places table.

The visit_date column keeps time in PRTime format, a 64-bit integer representing the number of microseconds since midnight (00:00:00) 1 January 1970 Coordinated Universal Time (UTC). This level of precision may be more than what is required for a forensic application, but the PRTime format can easily be converted into CTime format by dividing by 1,000,000. The datetime function in SQLite can be used to convert CTime to human readable format, as demonstrated in the example below.

The visit_type column is an integer that represents one of seven types.

1

TRANSITION_LINK

This transition type means the user followed a link and got a new toplevel window.

2

TRANSITION_TYPED

This transition type means that the user typed the page's URL in the URL bar or selected it from URL bar autocomplete results, clicked on it from a history query (from the History sidebar, History menu, or history query in the personal toolbar or Places organizer.

3

TRANSITION_BOOKMARK

This transition is set when the user followed a bookmark to get to the page.

4

TRANSITION_EMBED

This transition type is set when some inner content is loaded. This is true of all images on a page, and the contents of the iframe. It is also true of any content in a frame, regardless of whether or not the user clicked something to get there.

5

TRANSITION_REDIRECT_PERMANENT

Set when the transition was a permanent redirect.

6

TRANSITION_REDIRECT_TEMPORARY

Set when the transition was a temporary redirect.

7

TRANSITION_DOWNLOAD

Set when the transition is a download.

Gathering browser history

Live browser history for Firefox 3 can be gathered by connecting to the Sqlite database and performing simple queries. For example, the URLs visited and the date and time of the visit can be gathered with this query: